SINGLE FAULT CONDITION, short circuit and open circuit of any component (IEC 60601-1 3.1)

DENich

Involved In Discussions
#1
Hello,

Clause 8.1 b) dash #3 states that SIGNLE FAULT CONDITION includes:

- short circuit and open circuit of any component other than a COMPONENT WITH HIGH-INTEGRITY CHARACTERISTICS that is connected in parallel with insulation, with an AIR CLEARANCE or with a CREEPAGE DISTANCE unless shorting can be shown not to be a failure mode for the component.


I find this wording pretty vague. Perhaps, it is because I am nonnative English speaker.

I have doubts concerning what components should be a subject of a short circuit test and an open circuit test in case of SINGLE FAULT CONDITION:

1.
Should be a subject of the tests:
any component that is connected in parallel with insulation, with an AIR CLEARANCE or with a CREEPAGE DISTANCE unless shorting can be shown not to be a failure mode for the component.

Should not be a subject of the tests:
any COMPONENT WITH HIGH-INTEGRITY CHARACTERISTICS

2.
Should be a subject of the tests:
any component unless shorting can be shown not to be a failure mode for the component
Should not be a subject of the tests:
any COMPONENT WITH HIGH-INTEGRITY CHARACTERISTICS that is connected in parallel with insulation, with an AIR CLEARANCE or with a CREEPAGE DISTANCE


Moreover. As far as I understand, any component is connected in parallel with insulation, with an AIR CLEARANCE or with a CREEPAGE DISTANCE. So, why do bother to mention these condition in the first place? I can not come up with an idea of any device where electronic components just soaring in space. They all are affixed to something.

I would be very grateful if somebody is able to clarify these issues to me!
 
Elsmar Forum Sponsor

Peter Selvey

Staff member
Super Moderator
#2
Although the standard does tend to harp on about the single fault condition, from the fundamentals of risk management it is really the protection that should be the focus of any assessment. If you have something dangerous, be it electrical, pressure, heat, radiation you will generally build a protective barrier(s) around the dangerous parts to prevent access or leakage. These barriers then becomes the focus of the assessment. If you have a part that bridges a protective barrier (such as a capacitor, resistor, optocoupler, transformer) it can be considered to fail unless it is proven to be high integrity part, i.e. never fail (such as optocouplers rated for 4kV, or Y2 capacitors). That's what they are talking about.

As long as the design has protection that is reliable and effective, you don't need to worry about faulting parts inside the circuit. You only need to worry about any parts that might defeat the protective barrier or feature.
 

DENich

Involved In Discussions
#3
Grand thank you for your reply, Mr. Selvey!
Your rationale is completely plain and logical. I agree with you one hundred percent.

Nevertheless, I believe, standards is a field of knowledge where wordings should be as sharp and precise as in jurisprudence. You are speaking about the "barriers" which are meant to protect living beings from dangerous parts of a device. Basically, it is a definition of MOP. But the definition of SFC above mentions some indeterminate insulation, an AIR CLEARANCE and a CREEPAGE DISTANCE, which is not the same as MOP.

Such inconsistencies between common logic and the wordings in the standard make me feel depressed :).

In practice, I see the sequence of actions like this:

1. Determine components a fault of which can lead to unacceptable RISK. In accordance with cl.4.9 "A COMPONENT WITH HIGH-INTEGRITY CHARACTERISTICS shall be used when a fault in a particular component can generate an unacceptable RISK." Therefore, a list of "to be" COMPONENTs WITH HIGH-INTEGRITY CHARACTERISTICS should be made (test laboratories call it "Critical parts list").

2. Make sure that the components from the list have approvals of compliance with relevant safety standards or evaluate them in a design by applying requirements/tests of IEC 60601 series.

3. Assess whether short circuit or open circuit of each component from the list in that particular design can lead to unacceptable RISK. Take measures if so. The assessment can be executed by deploying series of tests or by using analytic methods.
Components which are bridging MOP(s) should not be assessed in the particular design, and they either should have of compliance with relevant safety standards or should be tested in accordance with IEC 60601 separately, for example, transformers.

Do you agree with me?
 

Peter Selvey

Staff member
Super Moderator
#4
Yeah, look I think it's historical.

Standards probably started out being purely prescriptive for the protective features, and even today they are largely focused on the protection design even if they don't say directly.

For example, when we do an overload test on a transformer, we base the test around the design of the protective components (fuse, thermal cut-out, PTC etc) and completely ignore the actual faults that could occur in the real secondary. This is an entirely reasonable approach, because single fault analysis would involve a massive effort (literally billions of permutations to analyse), is likely to be utterly unreliable (as is well established in literature), and would need to be re-evaluated with every change in the secondary. So instead, we base the tests on the limits of the protective device. That way, it does not matter what happens in the secondary, we can be sure that the transformer will stay below the temperature limits. Simple, neat, reliable, low cost and it works. It's used throughout the IEC 60601 for shock, basic fire, pressure vessels, enriched oxygen, mechanical; and the principle is widely used in virtually any industry dealing with high risk scenarios. Boeing paid the price for briefly forgetting this principle with their 737MAX design - relying on a single sensor and failing to realise what could happen if that sensor fails.

However ... at some point in electrical safety we started to see more complex designs, such as switching power supplies. These did not fully fit into the neat protective structures that already existed. So my guess is that the standards added the "single fault condition" as back up for these special cases.

The thing is, there are lots of problems with using the single fault condition as a requirement. I could write a short book on it. In reality, a fault condition is just one of several tools we can use to verify that protection operates as expected, and it's part of a much bigger process in validating the protection is broadly effective has been implemented as planned. A "Pass" result from fault test is just a tiny part of a much bigger story.

As such, the single fault condition "requirement" should be literally interpreted by designers as a requirement to implement some form of effective protection. Having a test lab perform a particular fault condition, get a pass result, and state it is safe is really a big fudge.

In terms of basic electrical safety, this fudge is basically OK because (a) most of the standard is anyhow very prescriptive for the protection (dielectric strength, spacings, thickness, sealed joints, certified components etc.) and (b) if the hazard is serious, most designers instinctively know it needs a protection based approach. So it's rare that a manufacturer would rely entirely on a single fault analysis for a high risk situation for the basic stuff like shock from mains, fire and so on.

However, in the context of functional safety for high risk devices, the single fault condition is frequently interpreted as a "requirement". This in turn leads to designs that have a patchwork of risk controls targeted at selected faults, such as watch dog timers for CPU lock up, or sensor short/open detection. This patchwork approach is far from "state of the art" for high risk systems, but is often found in medical devices. I'm 100% sure that IEC 60601 could be challenged in Europe as being insufficient to support the essential requirements (or whatever they are called these days :)).

My rant for the day!!!
 

DENich

Involved In Discussions
#5
What can I say... Amen to that! :))

Unfortunately, the more I dig to 60601 the stronger feeling I have that designing a safe device and getting a certificate of compliance to 60601 are not exactly the same tasks.

I do not say that 60601 is utterly useless. It does draw attention to very important aspects of safe designing. But at the same time it leaves a lot of significant issues aside and even those mentioned are pretty uncertain and confusing sometimes. I would even say that getting the certificate is to a large extent just a marketing trick. Which is sad.

Thanks a ton for your opinion! Now I know that I am not alone having such thoughts:))
 

Apex Hao

Starting to get Involved
#6
Hi Peter, as usual I enjoy reading your insights on product safety.

Did you manage to get a book or an article written on single fault analysis? Or is there any thread that cover it comprehensively? I would love to read it.
 

Tidge

Trusted Information Resource
#7
I enjoyed the rant!

However, in the context of functional safety for high risk devices, the single fault condition is frequently interpreted as a "requirement". This in turn leads to designs that have a patchwork of risk controls targeted at selected faults, such as watch dog timers for CPU lock up, or sensor short/open detection. This patchwork approach is far from "state of the art" for high risk systems, but is often found in medical devices. I'm 100% sure that IEC 60601 could be challenged in Europe as being insufficient to support the essential requirements (or whatever they are called these days :)).
I highlighted context because my own feeling is that the current (2020) theory of risk controls in medical devices feels to me as if context is usually ignored, or if it is considered it will be hidden within something like an RCOA. I'm not quite ready to challenge all of 60601, but I definitely feel that at least one collateral standard (60601-1-8, 'alarm systems') could be more tolerant of context. I have a sense that 'context' has become something of a trigger word.

Specific to 60601-1-8, the patchwork approach to risk controls described above can lead to implementing alarm signals with audible components that (within the context for a primary use case) if implemented as prescribed in the collateral standard would be distracting... both in terms of attention and necessary action. The 60601-1 standard allows some wiggle room on 'requirements' from the POV of risk analysis, but no NRTL wants to be bothered to understand a greater risk analysis when they can stay within a collateral (or particular) standard and write "FAIL".

14971 doesn't exactly help with this issue, as sometimes a line of risk analysis is made 'acceptable' by implementing an indicator of some type... but the line between an indicator and an alarm signal can be fuzzy, especially if the risk analysis moves from unacceptable to acceptable because of the indicator/signal.
 

Peter Selvey

Staff member
Super Moderator
#8
I'm not sure if I have the latest edition of 60601-1-8, but last time I dug into this issue I found that having an indicator as a risk control triggered the applicability of the standard but inside the standard most of the requirements are not applicable for run of the mill non-urgent indications like "change the filter".

So, you end up preparing a long report that only has one or two items that are applicable, and they are also fairly innocuous requirements at that. There are no requirements (again from memory) that enforce annoying large visual indications, audible and so on. In that sense, it does not affect the design or risk management (since an indication to change the filter is ultimately a risk control), but it does affect the reporting.

This could be a pain in the NRTL context as they charge large fees for each additional standard. But I would check the wording in the standard carefully if you feel it is enforcing any unreasonable, distracting alarm indications.
 

Tidge

Trusted Information Resource
#9
Specific to my circumstances and the NRTL/Alarms discussion: one of the 'fuzzy lines' that I've encountered is that (in my professional opinion) sometimes things get called 'alarms' (by design teams and/or marketing teams) that would appear (to a lay person) to meet the definition of an 'alarm' but from a 'first principles' approach (starting with 14971 and 60601-1) would not be called alarms. I'm not referring to the distinction between technological and physiological alarm condition and means of indicating each. A problem I have encountered is that once a device is marketed with a (layman's) 'alarm system' it becomes practically impossible for a ME designer to avoid 60601-1-8 at a NRTL. I suppose it would be easier if the IFU/manuals never called out such 'alarms' but this is a very slippery slope to navigate.

Now for some discussion about designing an ME device for which 60601-1-8 is perfectly applicable: 60601-1-8's 'alarm condition priority' grid is a really powerful tool, but it certain contexts (e.g. within some use cases) the priority of any given alarm should be deprioritized. This deprioritization I refer to is based on clinical feedback, published articles, accepted 'state of the art' practices.

The issue I have is that 60601-1-8 doesn't explicitly allow an individual piece of equipment's alarm system to behave as if a specific alarm condition has more than one priority (i.e. sometimes one condition should be a lower priority) and thus requiring different behavior/permissions... a standalone ME device's alarm system essentially has to be designed (and tested) against its own use case. I personally feel that 14971 and 60601-1 are written to allow the wiggle room to implement the 'most correct' design choice... but what the NRTL sees is a 'FAIL' followed by 'wiggling'... even if you made this obvious to them prior to the test!
 

Peter Selvey

Staff member
Super Moderator
#10
This is off topic? Anyway ...

Use of the term "alarm" (or not) in the IFU or other places is irrelevant. The decision point is whether the indication is used as a risk control measure in the risk management file. So one manufacturer might throw around the word "alarm" carelessly for everything, while another might take extreme care to avoid the word "alarm"; both cases it does not matter, only what is in the RMF.

As for priorities etc, I agree there is a lot of flexibility in 601-1-8, I think they support the "less is more" approach. If the NRTL decides that more alarms are better, make sure they put it in writing, with appropriate references and having had it reviewed internally, and take it to their accreditation body in the form of a complaint.
 
Thread starter Similar threads Forum Replies Date
T Single Fault Condition IEC 60601 Clause 8.7.1 shorting Cr/Cl in Patient Applied Part IEC 60601 - Medical Electrical Equipment Safety Standards Series 7
G IEC 61010 - Single Fault Condition - Protective Impedance Implementation IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
E Single Fault Condition Simulation IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
G What is the exact meaning of Single Fault condition? EU Medical Device Regulations 4
R Single Fault Condition for Internally Powered Medical Device IEC 60601 - Medical Electrical Equipment Safety Standards Series 4
R Single Fault Condition - Motor Test IEC 60601 - Medical Electrical Equipment Safety Standards Series 17
R Is foreseeable misuse considered as single fault condition? IEC 60601 - Medical Electrical Equipment Safety Standards Series 33
G Single Fault Condition for 3-Phase Medical System - IEC 60601 Clause 8.1b IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
K Lithium Ion - Single Fault Safe - Deep Discharge IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
A Touch current in single fault conditions test and earth leakage current in normal conditions test, are they really different tests? IEC 60601 - Medical Electrical Equipment Safety Standards Series 9
M What are Single Fault Conditions and how to test - IEC 80601-2-13 Other Medical Device Related Standards 0
P Question related to Single Fault Conditions IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
W Medical Device Single fault test-protection against fire IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
M IEC 60601-1 Single fault conditions of electronic PCB components IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
S DHF/DMR/MDF for a software-only, cloud-based, single-instance device Medical Information Technology, Medical Software and Health Informatics 2
N Is this a single integral drug device combination product EU MDR CE Marking (Conformité Européene) / CB Scheme 1
R CND nomenclature for single use instruments CE Marking (Conformité Européene) / CB Scheme 1
P Violation of CE mark - Re-use of single-use Products CE Marking (Conformité Européene) / CB Scheme 2
M What are the basics of Medical Device Single Audit Program (MDSAP)? ISO 13485:2016 - Medical Device Quality Management Systems 7
shimonv Single lot release for sterile packaging 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
N Where to find Regulations for Reprocessing and Reuse of Single-Use Devices Other Medical Device Related Standards 2
D Partial FAI - AS9102 - One single drawing has 10 part numbers AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
Sidney Vianna Informational IAF and ILAC Seek Contractor for Establishment of a Single International Organization for Accreditation ASQ, ANAB, UKAS, IAF, IRCA, Exemplar Global and Related Organizations 2
F UDI - Unit of Use and Class I, single-use devices EU Medical Device Regulations 5
A Single use non-sterile syringe used in the oral cavity - Laboratory test advice US Food and Drug Administration (FDA) 7
D How to get EUDAMED Single Registration Number (SRN) EU Medical Device Regulations 19
CycleMike GD&T - Hole pattern - Print (attached) has a single Datum Reference Frame Inspection, Prints (Drawings), Testing, Sampling and Related Topics 4
K Does company who manufacture but does not design or carry out clinical trials is responsible for CE marking for single use medical devices? ISO 13485:2016 - Medical Device Quality Management Systems 3
F 2017/745 Article 31 Single Registration Number Medical Device and FDA Regulations and Standards News 5
M Informational EU draft act – Single-use medical devices – safety and performance requirements for reprocessing Medical Device and FDA Regulations and Standards News 0
Q IATF rule for single site - Ingots from scrap metal recycling company IATF 16949 - Automotive Quality Systems Standard 0
R Supplier Controls we can place on Single-Source Suppliers ISO 13485:2016 - Medical Device Quality Management Systems 2
R Critical suppliers (Definition of) and MDSAP (Medical Device Single Audit Program) ISO 13485:2016 - Medical Device Quality Management Systems 19
Ed Panek Can a single supplier fit two or more categories for risk? ISO 13485:2016 - Medical Device Quality Management Systems 2
T No Defined Shelf Life/Expiration Date - Disposable single-use, non-invasive, non-sterile Other Medical Device Regulations World-Wide 2
F Reprocessing or refurbishing? Single Use Medical Device CE Marking (Conformité Européene) / CB Scheme 0
S How to make Single Sign On (SSO) Comply e-sig requirements? ISO 13485:2016 - Medical Device Quality Management Systems 4
E Sample size for design verification of variable in single use device Design and Development of Products and Processes 20
Ed Panek Sensitive Supplier Issue - Single source supplier ISO 13485:2016 - Medical Device Quality Management Systems 6
G Single DFU for multiple medical devices in one box Other Medical Device Regulations World-Wide 0
M Medical Device News Health Canada - Medical Device Single Audit Program (MDSAP) Transition Plan Canada Medical Device Regulations 2
A ISO 2859 Single Sampling - Clarification regarding the sampling table Inspection, Prints (Drawings), Testing, Sampling and Related Topics 4
bio_subbu Indian government issues guidance on Grouping Medical Devices in a Single Submission Other Medical Device Regulations World-Wide 1
F Marketing a single medical device with multiple indications Other US Medical Device Regulations 4
T Definition Sole source VS. Single Source - Definitions Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 2
Edward Reesor MDSAP (Medical Device Single Audit Program) Costs Canada Medical Device Regulations 7
Mikey324 GR&R - Little to no part to part variation in single part number Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 14
R How many Corrective Action Request can be Issued by DCMA for a single issue? Nonconformance and Corrective Action 2
I Label Expiration Date - Single Use Combination Medical Device EU Medical Device Regulations 2
M Merge Technical File, DMR, and Device File into a single document? Other Medical Device and Orthopedic Related Topics 3

Similar threads

Top Bottom